[BUG] --prod flag includes devDependencies of workspace packages in module's dependencies list

[Llois41]

Describe the bug

When having a workspace package, importing it as a dependency leads cyclonedx-yarn to include their devDependency in the SBOM as well.

To Reproduce

https://github.com/Llois41/cyclondx-dev-dependency-reproduction/tree/master

Expected behavior

I would expect that in the created sbom.json file there will also only be production dependencies of the workspace's package.

Environment

• @cyclonedx/yarn-plugin-cyclonedx version: 2.0.0
• yarn version: 4.5.3
• Node version: 22.13.1
• OS: MacOS

Contribution

• I am willing to provide a fix
• I will wait until somebody else fixes it

[jkowalleck]

Thank you for the report.

And thank you for providing an environment where the situation may be reproduced.
I will try to craft a test env for this project, which will come in handy for regression-testing.

[Llois41]

Hi @jkowalleck

I fixed the settings in the reproduction git repo, you should (after fresh git pull) be able to run it locally yourself. May I ask you to delete your last comment, because of the internal company URL? :)

Thanks for having a look!

[jkowalleck]

it is still there: https://github.com/Llois41/cyclondx-dev-dependency-reproduction/blob/300481488a32697a2b27e3f648ee792fd6686432/.yarnrc.yml#L1
maybe you could fixup/squasch the repo to be just one commit. but then github still would keep the old (orphan) commit(git-node) somewhere.

Also, i do not see a reason for obscurity.
The internal resource is not reachable, and if it was, then you'd have much bigger problems - regardless whether the resource had a resolvable DNS entry .

so i think there is no need to worry about anything.
PS: even the official DB repos publish this resource:

• https://github.com/dbsystel/trivy-vulnerability-explorer/blob/c45d7dc44adf91190580a02ed119e71ffb82787d/renovate.json#L15
• https://github.com/DeutscheBahnAG/components/blob/35c9da4eda1b5753109de6d9a99abda7411134b1/deploy/helmfile.yaml#L4

[jkowalleck]

some brief research showed, that the workspace support was lacking features.
see #257

[Llois41]

yeah, I didn't clean up the history, but the new master should at least work :D And yeah, I also think, it is no issue.

@jkowalleck Alright, thanks for creating the collector issue. Can you give a rough estimation when you will have the capacity to work on the workspace support?

If others run into this issue as well: For now we workaround by installing only production dependencies and then use the "zero-install yarn dlx wrapper", but this makes versioning a little bit harder, since we have to add a separate renovate config rule instead of just having the dependency in our package.json ^^

[jkowalleck]

Can you give a rough estimation when you will have the capacity to work on the workspace support?

I might have some time in the next 6 months. can not promise anything.

Anyway, this tool is a community effort. Everybody is invited to contribute :-D
If you or your organization need a certain feature, feel free to donate/champion it.